[HTTPS-Everywhere] Breaking Other Websites
Peter Eckersley
pde at eff.org
Thu Nov 25 13:59:20 PST 2010
Daniel,
It might be that Firefox isn't sending HTTP-Referer for the HTTPS API
requests. IIRC the HTTP specification says not to send referers from https
pages to http pages, perhaps the reverse is also implemented.
Which are the problematic rewriting rules? The rulesets are here:
https://gitweb.torproject.org/https-everywhere.git/blob/HEAD:/src/chrome/content/rules/GoogleAPIs.xml
https://gitweb.torproject.org/https-everywhere.git/blob/HEAD:/src/chrome/content/rules/GoogleServices.xml
https://gitweb.torproject.org/https-everywhere.git/tree/HEAD:/src/chrome/content/rules
On Thu, Nov 25, 2010 at 10:17:16AM -0500, Daniel Lanigan wrote:
> So in short, when calling any functions on the API, which is being fetched
> via https, I get a security error (can't call method on NPObject) since the
> site is unencrypted and the api is https.
>
> So, I suppose the easiest fix for this would be to not change the protocol
> for scripts being called from an unencrypted site, even if the site (google)
> has a ruleset, or at least have this as an extra option.
--
Peter Eckersley pde at eff.org
Senior Staff Technologist Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-everywhere
mailing list